Configuring Web App Firewall profiles
To configure a user-defined Web App Firewall profile, first configure the security checks, which are calleddeep protectionsoradvanced protections在Web应用防火墙wizard. Certain checks require configuration if you are to use them at all. Others have default configurations that are safe but limited in scope; your websites might need or benefit from a different configuration that takes advantage of more features of certain security checks.
您已经配置了安全检查后,你can also configure some other settings that control the behavior, not of a single security check, but the Web App Firewall feature. The default configuration is sufficient to protect most websites, but you must review them to make sure that they are right for your protected websites.
Note:
The profile name length and all import object name length can be set up to 127 characters.
For more information about the Web App Firewall security checks, seeAdvanced Protections.
To configure a Web App Firewall profile by using the command line
At the command prompt, type the following commands:
set appfw profile[ ...] where:
- … = additional parameters and options.
For descriptions of the parameters to use when configuring specific security checks, seeAdvanced Protections.
save ns config
Example
The following example shows how to enable blocking for the HTML SQL Injection and HTML Cross-Site Scripting checks in a profile namedpr-basic. This command enables blocking for those actions while making no other changes to the profile.
set appfw profile pr-basic -crossSiteScriptingAction block -SQLInjectionAction block 结合放松规则to a Web App Firewall profile
When a Web App Firewall detects a violation, the user has the ability to bypass the action applied through relaxation rules. Relaxation rule is an exception applied to the detected security violation. For example, the Start URL relaxation rules protect against forceful browsing. Known web server vulnerabilities that are exploited by hackers can be detected and blocked by enabling a set of default Deny URL rules. Commonly launched attacks, such as Buffer Overflow, SQL, or Cross-site scripting can also be easily detected.
To bind security exemption or relaxation rules by using the CLI
At the command prompt, type:
bind appfw profile ((-startURL [-resourceId ]) | -denyURL | (-fieldConsistency [-isRegex ( REGEX | NOTREGEX )]) | (-cookieConsistency [-isRegex ( REGEX | NOTREGEX )]) | (-SQLInjection [-isRegex ( REGEX | NOTREGEX )] [-location ] [-valueType .... To bind security exemption or relaxation rules by using the GUI
- Navigate toSecurity > NetScaler Web App Firewall > Profiles.
- In the details pane, select a profile and clickEdit.
- In theNetScaler Web App Firewall Profilepage, clickRelaxation Rulesfrom theAdvanced Settingsection.
- In theRelaxation Rulessection, clickStartURLand clickEdit.
- In theStart URL Relaxation Rulespage, clickAdd.
In theStart URL Relaxation Rulepage, set the following parameters:
- Enabled. Select the check box to enable the relaxation rule
- Start URL. Enter the regular expression value
- Comments. Provide a short description about the relaxation rule.
- ClickCreateandClose.
To configure a Web App Firewall profile by using the GUI
- Navigate toSecurity > NetScaler Web App Firewall > Profiles.
- In the details pane, select the profile that you want to configure, and then clickEdit.
In theConfigure Web App Firewall Profiledialog box, on theSecurity Checkstab, configure the security checks.
To enable or disable an action for a check, in the list, select or clear the check box for the action.
To configure the parameters for the security checks in the list, select the check box and clickActive Settings.
To review log entries for the selected security check, select the check box and clickLogs. You can use this information to determine the security checks that match attacks, so that you can block the traffic for the security checks. You can also use the information to determine the checks that match legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, seeLogs, Statistics, and Reports.
To completely disable a check, in the list, clear all of the check boxes to the right of that check.
- On theSettingstab, configure the profile settings.
To associate the profile with the set of signatures that you previously created and configured, under Common Settings, choose that set of signatures in theSignaturesdrop-down list.
Note:
You must use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.
- To configure an HTML or XML Error Object, select the object from the appropriate drop-down list.
Note:
You must first upload the error object that you want to use in the Imports pane. For more information about importing error objects, seeImports.
- To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types.»More….
- If you want to use the learning feature, click Learning, and configure the learning settings for the profile, as described inConfiguring and Using the Learning Feature.
- ClickOKto save your changes and return to theProfilespane.
Confidential fields in WAF profile
Note
This feature is available in release 13.1 build 27.x and later.
You can now add confidential fields in a WAF profile. These fields are masked and not captured in the ADC logs when a violation occurs. Earlier you could add these fields using settings only. For more information about adding confidential fields using settings, seeConfidential fields.
- Navigate toSecurity > NetScaler Web App Firewall > Profiles.
- Select a profile and clickEdit.
InAdvanced Settings, clickConfidential Fields.
- ClickAdd.
- Enter values for the following parameters:
- Form Field Name*
- Action URL*
- Comments
A
*indicates a mandatory field - ClickCreate.
- ClickDone.